Synapse & GDPR: The Basics You Need To Know

6th April 2018

In recent years, the world has been undergoing a technological revolution. The past 20 years have changed the way that we use the internet in a way that is indistinguishable from the online behaviour of the average person in 1998, which is when the previous Data Protection Directive was implemented.

Now, data is the most valuable resource in the world, and organisations know this. The biggest businesses in the world - Google, Facebook, Amazon, and many more - are collecting data every day that informs their choices, marketing and technologies. This creates an environment where individuals are being treated as a commodity. The EU saw that the current data protection provision was no longer doing the job it needed to do. Data was still being misused, and there were no regulations that were protecting people.

This is where GDPR comes in. It’s a standardized set of regulations that applies to any organisation within, or conducting business within, the EU. These regulations add to what is currently in place to provide individuals with a more comprehensive set of rights and organisations with an extensive set of guidelines to follow.

This will go into effect on 25th May. From that date you should be already compliant with the new regulations, so it’s important to understand what’s expected of you ahead of time. GDPR is something that can require you to do lot of internal research, but there are a few important aspects that everyone should understand:

Consent

Every time you gather data from your users or staff, you need to obtain unambiguous consent to do this. The ICO expands that unambiguous should mean informed and active consent; inaction, assumptions or pre-ticked boxes are not compliant.

Data Protection Officer

In some cases, it is mandatory to appoint a Data Protection Officer to monitor and regulate your data processing. This could be because you are a public authority, frequently have access to sensitive data or a multitude of other reasons that are outlined by the ICO. For others, a DPO is not required to be compliant, but is still something that you should consider for the benefit of your business and clients.

Privacy by Design

When building and implementing a new system, you should be ensuring that data is protected as a built-in function instead of an afterthought. This can be done at the planning stage by performing a data protection impact assessment to determine any issues that need to be addressed early on.

EU Transfers

If your business is not based in the EU, or does business outside of it, you still need to comply with GDPR regulations. This includes information that is transmitted under the EU-US Privacy Shield.

Personal Data

Before you begin anything further, your organisation should have a clear knowledge of the personal data that they handle and the associated data flow. This can include financial data and staff information as well as customer data.

Data Subject Rights

The rights of the individual are now far more defined and developed than they were beforehand. It’s important that you familiarise yourself with these (please see below) and comply with the requirements made of you.

Legal Basis For Processing

You now need to have a legal basis for processing the data that you do each day. Most businesses can cover their daily actions under the permissible reasons, but you must be able to prove this in the event of an audit.

Legitimate Interest: if you need to process data for a legitimate interest of either yourself or a third party, you are permitted to do so as long as there is no valid reason to protect an individual’s data that overrides these reasons.

Vital Interest: If you need to process data in order to safeguard a life

Public Task: If your data processing is required to complete work in the public interest or for official functions with a foundation in law.

Legal Obligation: If you must process data to comply with the law

Contractual Obligation: If the data you process is required through a contract with the user, or requested ahead of entering into a contract

Consent: If you have gained unambiguous consent from your user to process their data to fulfil a specific purpose

Data Security and Controls

Your company should be putting in data security controls that enable you to protect data. In the event of a breach, you have a mandatory obligation to report it to the ICO or relevant authority, and the user if their rights or freedoms have been put at risk.

Principles

You must adhere to the principles of the GDPR by ensuring that your data subjects have control over their data and that you make efforts to protect it. This can be done through transparency, lawfulness, purpose and confidentiality.

If you fail to comply with the new regulations, your business is at serious risk. There is a standard penalty of either 4% of your annual global turnover or £20,000,000 - whichever is the greater sum. For some, this could mean devastation for your business. The 2 year ‘grace period’ is already coming to an end, and therefore shouldn’t be relied on, You are still liable for the full sanctions at any time, should an auditor wish to issue you with it.

You should also be aware of the new rights for individuals, as they directly affect your business. You need to be able to provide your users with an experience that’s within their rights, and deliver information and solutions when they request them.

The Right To Object

A user can object to their data being processed for scientific, historical, marketing or official authority purposes.

The Right To Erasure

A user can request that you erase all the personal or sensitive data you have from them at any time, if they want to retract consent or the data no longer serves the original purpose.

The Right to Restrict Processing

For some, there is a legal requirement that data is retained or a denial of an individual objection. In these events, you must instead restrict the processing instead of deletion.

The Right of Access

Your users can ask for confirmation that their data is being processed, and access this information if they wish.

The Right To Be Informed

Your users have the right to understand the reason and method of data processing. You need to be able to provide this in a clear, concise and easily understandable way. You may not charge any fee to do this.

The Right to Data Portability

In the event that a user wants to move their data to another provider, you must give them the information in a secure and usable format.

Rights in Relation To Automated Decision Making & Profiling

Your automated decision making is also covered by GDPR, and can be objected to by the user. In this case, they are entitled to an explanation and to be helped by a human.

Security in all forms should be your priority as a business owner. To discuss your gap analysis, talk to us today.

Your login details have been used by another user or machine. Login details can only be used once at any one time so you have therefore automatically been logged out. Please contact your sites administrator if you believe this other user or machine has unauthorised access.